VICARIOUS LIABILITY AND DATA PROTECTION BREACHES

Can an employer be vicariously liable for the criminal actions of a rogue employee who deliberately disclosed co-worker’s personal details? This was considered by the High Court (HC) in the case of Various Claimants v Wm Morrisons Supermarkets plc.

Facts

Mr Skelton was employed by Morrisons as a senior IT internal auditor. As such, he was in a position of trust and had access to, and could use, personal data which was sensitive and confidential about employees.

On 1 November 2013, KPMG requested payroll data from Morrisons for external audit purposes. Mr Skelton was tasked with sending the data to KPMG. The data was contained on secure software, to which only a few employees had direct access. Mr Skelton was not one of them. Therefore, he was provided with an encrypted USB stick, which contained the information and which he downloaded onto his work computer. He subsequently loaded the information onto another USB stick provided by KPMG and forwarded it to them. However, the downloaded information remained on his work computer and he copied it onto a personal USB stick.

In early 2014, the personal details of almost 100,000 Morrisons’ employees were deliberately published on the internet and sent to three newspapers by Mr Skelton. Mr Skelton had harboured a grudge against Morrisons following disciplinary action the year before. Over 5,000 employees brought claims against Morrisons for breach of its statutory duty under the Data Protection Act (DPA), the misuse of private information and breach of confidence.

They argued that Morrisons had both primary liability for its own acts and omissions and vicarious liability for the action of Mr Skelton.

Decision

The High Court (HC) dismissed the claim based on primary liability. Mr Skelton had been given access to the data as part of his role, it was needed for an audit, but it had been published from his home, on his personal computer, outside of working hours with deliberate intent on harming Morrisons. Therefore in this case, it was Mr Skelton who was the data controller by taking the decision as to how the data on his personal computer should be processed and it was Mr Skelton who offended the relevant data protection principles, not Morrisons.

Whilst the HC agreed that Morrisons had taken precautions in limiting access to personal data, they did not have in place an organised system for the deletion of data, but this failure did not cause any loss, as this did not cause Mr Skelton’s disclosure.

As for vicarious liability, the issue was whether Mr Skelton’s actions were done in the course of his employment. In other words, was his wrongful conduct closely connected to his authorised duty? He had been entrusted with the data, had received it and copied it as part of his role. The HC held that the breach (the later publication of the data) was part of a seamless and continuing sequence of events, and that there was sufficient connection with his employment and the wrongful conduct.

Comments

Despite finding against Morrisons, the HC has already granted Morrisons leave of appeal. The HC is aware that its decision on vicarious liability would have the effect of the court being “an accessory” in furthering Mr Skelton’s criminal aims. Morrisons have indicated that it will appeal. It is therefore unlikely that we have heard the last of this case.

In the meantime, this will set alarm bells ringing for employers. The ruling suggests that even where much has been reasonably done to prevent the misuse of data and an employer is found not to be at fault under the DPA, it may still be found to be vicariously liable for any employee misusing data, even where the misuse of data is intended to cause reputational or financial damage.

The coming into force of the GDPR in May 2018 will likely extend the impact of this decision (if the ruling is not overturned) given the greater sanctions that will apply for data protection breaches.

Sign up to our newsletter for interesting articles and legal updates

Your email address will only be used for e-news and will not be shared with anyone else.